I ended up hacking the radio firmware to bypass the signal processing and stream the raw received samples from London to Sydney. I hacked a radio in Sydney to feed the London samples into its signal processing, then streamed the resulting samples back to the transmitter in London. I now had an LMR base station running in real-time over the Internet, with the radio hardware in London and the signal processing in Sydney. I was able to attach a JTAG hardware debugger to the DSP in the radio running the signal processing and find the bug. From there we did a firmware release and uploaded new firmware into the radios in London. Our radios stayed in and handled the stage management for the Opening Ceremony of the London Olympics.
Edit:
The customer must have been happy with the outcome, as they ended up using our radios for the Sochi Winter Olympics two years later.
Apparently, Tetris Friends only seeded their RNG once, and there were only a few hundred possible seeds (perhaps 256? I didn't check). So if you got the same initial seed, you got the exact same pieces for the entire game. Tetris Friends also happened to have a highly competitive global leaderboard, where you tried to clear 40 lines as fast as possible... and I happened to have recently learned how to use AutoHotKey. You see where this is going.
I restarted over and over until I got a good seed, then carefully played through a whole game, copying my inputs into a giant AutoHotKey script. Tetris Friends was a flash game, meaning it could only process so many inputs per second, so I had to insert a short delay between each input. Testing/debugging was a nightmare too, because I had to restart until I found the same seed again! But after a few hours, my script made it all the way through a game, and bam, I was #1 in the world.
Felt real good for about a week, until Tetris Friends purged the leaderboard. :^)
I looked into the problem and found that the memory allocation used malloc and free. I then defined macros for malloc and free in a common header to call my_malloc and my_free functions with the standard __FILE__ and __LINE__ macros passed in as parameters. Re-compiled the whole program with the macros, which redirected every call of malloc and free to my functions. My functions logged all the calls with the allocated memory pointer, the filename, and the line number. Once I collected enough log data from test runs, I sorted the lines in the log file by the memory pointer address. Every pointer address should come in pair, one from the malloc() and one from the free(). The odd number pointer addresses are the ones with missing free(). And I got their filename and line number right there.
I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.
On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.
I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.
I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.
I discovered (by watching another customer) that a certain kind of very expensive Scottish smoked salmon was 4 pence more expensive than the price listed on the shelf. The supermarket (Tesco) also has a large sign stating that if the price was wrong on any item, they would both give you the item for free and the money it costs.
I promptly went and loaded up a cart with nothing but smoked salmon.
It took 42 minutes of arguing with different store managers and pointing to the sign, but I managed to eat for free that week and even had enough to pay my electricity bill.
The reason I don’t feel bad is that particular store very, very often charged the customers more than the listed price and no one ever seemed to catch them.
I went in three months later, and the same salmon still rang up at 4p more than it was listed at.
I discoveted that, with a lot of tapping at exactly the right time, I could launch the marketplace.
With a lot of tapping at the right time I could trigger a voice search.
I then told it to install an app which disabled the lock screen.
With, again, a lot of tapping at just the right time and place I was able to launch the app and get into the phone.
Led to my first bug bounty (a new Samsung phone!) And my first million view YouTube video.
https://shkspr.mobi/blog/2013/03/new-bypass-samsung-lockscre...
Then I remembered my old Atari 8-bit programming days and the vertical blank interrupt (which there was on the PSX, but we couldn't run all the physics in the VBI time allotment). What we could do though, was to use setjmp/longjmp to switch contexts between threads and then hack the vertical blank interrupt to save off the registers from the main thread, longjmp back to the physics thread, which would then restore the registers of the main thread and longjmp back to it. Bingo, 29.94Hz pre-emptive two-threading (which was all we needed).
(I don't recall if we actually used setjmp/longjmp or if we just stored away the PC register to return from the interrupt and monkeyed with it to return from the interrupt to the physics thread [as if it was interrupted at the start of a cycle of the engine] and then return from there to code that would restore the registers and make it appear to the main thread that it was returning from a VBI.)
Within 3 days, I wrote a script to locate the dealerships, load each of the carriers' web pages, enter the address/coordinates into their coverage map, then take a screenshot of the results. Each of the carriers, of course, had their own way of displaying the coverage information, but it was mostly a color-coded map (example: green area = 3G, blue area = edge, gray area = no reception). So, I wrote another script to process the screenshots and deduce what kind of reception they had at the dealership (some 3500 in total, if I remember right).
Unfortunately, this feat was met with the proverbial "great, while you're fixing things can you also fix the printer" kind of response, but damn if I wasn't proud to compress a few weeks into 3 days in a clever way, even if I had no one to appreciate it.
By the way, the reason we needed this information is because we were rolling out Lexus RES+ (an early version of the remote engine starter) and they wanted to make sure that every single one of the dealerships could demo the service to potential customers.
So what I did was built a greasemonkey script to watch the DOM as they went through the sales flow and record the values as they were entered. I then built decision tree model of moderate size, exported it to a string, converted that into a big javascript function. Then, if the model said things were looking good, I modified the DOM to insert a little "alert" box on the top of the page. I handled all the state manually in case they navigated away or did things in a funny order. I knew zero JS or web development at the time, so this was SUPER hacky. But it worked! I then manually walked around to sales agent computers and installed the greasemonkey extension/script. I even got IT involved eventually to serve the script from an internal endpoint, allowing for easier updates.
The actual model ended up being just okay, and didn't have a huge impact on actual sales, but the exec team was SUPER impressed with the delivery mechanism. We had a parent company and they loved to brag to their superiors how we had deployed a machine learning model "for zero IT cost". They had me a do a writeup and everything in case someone wanted to copy my revolutionary idea. I'm sure some guy at the HQ took a look at my writeup and got a good laugh out of how incredibly obtuse, insecure, and hacky the whole thing was.
That said, I still think it was a clever solution and even wondered about turning it into some kind of product at one point.
School district thought they blocked access to the built-in OS games.
Nope, from any program (Wordpad, etc) you could FILE -> OPEN to find/launch/play Minesweeper.
Nothing makes an 8-year-old feel more like a "hacker" than subverting school controls to play video games, while also gaining cred with your friends.
The good ol' days.
The resume is the dumbest blocker in our society. If you can do the job, just write that on your resume along with whatever else you think they want to see.
I wrote a pile of scripts that scraped both sites, parsed and cached the data, and displayed it on a map. I was able to set search criteria based on location, and kludged it so that if something good came up, the system would automatically email the landlord if they made the email available, text them if they left a number, and text me a notification with a link.
The scraper eventually got pretty fancy as I expanded the service across multiple cities - it self-throttled and self-scheduled, based on the average frequency of postings on each platform in each city at a given time of day. The repost detector was working pretty well too, it added a layer of data to the results (eg, "this rental was re-listed 12 times in the past two weeks).
Once I found a place I liked, I made the site public and shared it with some friends, and it didn't take long until I was seeing steady daily use. The site even won an award from CIRA.ca!
I wrapped things up when I learned of Craigslist suing Padmapper for scraping their data. I wasn't monetizing, it was a cool project, but it felt like it was done.
Two things I did that were very fun:
1. School blocked a lot of popular flash game websites. My friends and I downloaded a bunch of flash games and threw together a website that we hosted on our chromebooks using '200 OK - Webserver for Chrome' or something. It was just a bunch of janky HTML and CSS, but we got it working. The school didn't block it because it was on the local network. We handed out slips of paper to our friends with the local IP address of my laptop. At one point someone made a Google Site with a link to the local address. It was a hack, but playing RUN 2 on your chromebook during social studies in 5th grade... man, those were the days.
2. Around that time one of my friends stumbled across crouton, a way to run Linux on a chromebook in parallel with ChromeOS. After a lot of trial and error (didn't know what bash was at the time), we were able to get Ubuntu installed. I remember downloading Blender and trying to do a fluid sim, which was super slow. I was able to render the first 20 frames of a domino and fluid animation using Cycles, which frames I still have sitting on my hard-drive somewhere to this day.
Some of my first hacks, older me is surprised how much younger me was able to get done given how much younger me didn't know.
I added support for the '\ ' PostScript escaped space sequence to a custom, high-performance PDF parser.
A former employer used this to derive key figures from financial statements. Any change to the parser had to be Pareto-optimal: so if you modified the parser, it should not fail to parse any key figure that was previously possible to parse. Adding this improved reading word-wrapped text in hundreds of cases and key figures in dozens; I recall that my bosses thought it must be a mistake, and that I had to convince them by finding the right section in some Adobe PDF spec.
I wasn't an expert at the PDF format. But stumbling on a number split in two by apparently nothing, and digging up a 0x5C 0x20 '\ ' with a hex editor, I seemed to recall that PDF was built on top of PostScript, and that TeX / LaTeX syntax was somehow related to PostScript. So it struck me that what was a literal backslash in the PDF must just be an escape sequence.
For those who weren't or haven't, it was a geofenced, anonymous message board app targeted to college students that became fairly popular over the first two years of its existence before gradually fading into obscurity and finally being shut down in 2017 (but as of 2021 was rebooted with pseudonymous accounts, IIRC). Users could see any messages within a certain radius (0.5 miles or so, I think) and messages could be upvoted and downvoted, and were sorted by their vote score. Messages with a score of -5 disappeared forever, and I think also eventually aged out.
Being a chaotic sophomore with some Android experience, I decided it would be fun to decompile the app and see how it worked. I discovered that each device was assigned an ID based on a timestamp, IMEI, and a few other pieces of information that could be easily spoofed, by calling a fixed HTTP endpoint to generate as many new IDs as I liked.
I generated ~500 or so IDs using some Java code, hardcoded them into a .class file, and added some hooks to intercept existing calls to set up the Android UI and add my own event listeners. From there I added a button to the app's menu bar with a radiation hazard icon that would use the generated IDs to nuke every message in range of the user, downvoting them all to -5 and causing them all to disappear instantly. I also added the ability to long-press the upvote and downvote buttons, which would bring up a dialog with a slider allowing the user to upvote or downvote any post up to 500 times, sending it to the top of the list (or downvoting it to oblivion). Finally, I rebuilt the app with my added .class file patch.
Needless to say, this was a source of great fun and mischief for my friends and I. The most entertaining event was attending a hackathon at our (much larger) rival university's campus, where we nuked every local post a few times a day for 72 hours and voted our own posts up 500 times.
It was fun to mess with for a few months or so. We never distributed the patched app, for obvious reasons, and we never used it for anything truly malicious beyond being a mild local nuisance denial-of-service.
I have started using xdotool [1] to create bash scripts that send mouse clicks and keystrokes to apps. Interleaving calls to xdotool with the "sleep" command [2] produce a convincing effect. If I need to redo a video to fix typos or after a program update, I just fix the bash script and restart the recording.
Alas, the only thing that is missing in my videos is the sound of keyboard clicks… But nothing is perfect!
I identified the microprocessor as a 6502, based on board topology, even though all IC markings were removed. At the time (before the internet), I could not find a 6502 disassembler, so I wrote my own. I successfully decompiled the code, figured out how it worked and found the parameter "maps" stored in ROM.
Loaded these into Matlab and wrote scripts to allow my colleague to tune the maps and write them back to EEPROM.
It was a couple of weekends' work for me, and I never thought about monetizing the knowledge. Several years later, I met another colleague who did the same for the Mazda RX7 ECU, and made a tidy side income selling "performance ROMs". C'est la vie.
glibc had a dynamically allocated data structure to keep track of semaphores, but musl libc only had a fixed-size 256 element array. When the semaphore limit was exhausted, Ansible would fail to keep track of the connections, resulting in a network timeout error message. I fixed the problem by forking musl's semaphore functions, making the array resizable, and loading the implementation with LD_PRELOAD: https://github.com/chenxiaolong/musl-sem-ext. Worked perfectly for 6 years until we decommed our data center :)
My proudest (and also maybe least proud at the same time) was writing a BASH script that was able to successfully replicate a complex server environment that had been previously built by contractors for an essential service that we needed to re-deploy, both for growing regions, but also to resolve a possible security issue due to how the contractors had deployed it. I had to basically reverse engineer every aspect of the service, built a deployment backend that I triggered, and did all of it in a fully-automated way that would break in known manners if it failed. That script went on to be used to deploy the entire service globally to ~12 regions on hundreds of servers.
The thing I'm most known for in that company was when I was working night-shift support and a customer called in with a server that had one of the drives fail on a Windows box, and apparently had decided it was worth saving $1/mo to not have backups. Because it was night-shift and nothing else crazy was going on, I decided to delve deep and I managed to get things back up by rebuilding their partition table by hand in a hex editor and avoiding some specific bad blocks so we could copy the data to a second drive DCOPS temporarily installed in the server, then we reinstalled the box and I migrated all their data back and brought their website back up. It took me around 9 hours, and at the end of it, the customer called in to complain about how long their site had been down, gave me the whole spiel. I had ended up staying late, so handed things off to the most senior person on the next shift that had a chance of understanding what I had done, and when I got done transferring the call I walked up two floors to talk to them directly to warm handoff and could hear the customer screaming through their headset from 3 cubes away. I became a legend for doing the most thankless task anyone had ever done for a customer in support.
Usually we would simply have modified/rewired a car so that a bluetooth connection to open it would work (for the demo only, of course). However, the keyless entry was designed to be so secure that it would have taken us far too long, even with our insider knowledge. My team leader had the brilliant idea of simply printing a 3d housing in which the original car key and an arduino-controlled servo could be installed, so that the arduino could press the key. We placed this device close to the car and remotely controlled the arduino. The demo worked perfectly and everyone was happy (afaik the project was not funded though).
I saw the excel file, asked for 5 minutes, came back after 15 and had solved the problem to such a degree that it went from wasting two hours for two teamleaders on every night we did this job to being almost trivial for one to do in 5 minutes.
And the solution was trivial. Like really trivial. But no one had thought of it before : )
Second best probably when I saved a messed up server in US (an person on site hadn't noticed the . in rm -rf ./bin and had proceeded to use sudo without thinking, as every Linux user does when they go through that dangerous phase).
I realized I still had one ssh connection to the server, realized either scp or rsync or something was in sbin (or somewhere else) and we could use it to copy the necessary binaries to get it back on track.
This easily saved us a 3 days (RHEL with Oracle 11g something easily took days to get right and it also was a massive pain to do).
In theory this gave you a lot of options, but in practice, switching palettes tended to cause "palette flash" where the previous image changed color in a distracting flash.
I was doing a multimedia project that had video in it, and each CODEC had its own built in palette -- one for Cinepak, one for Indeo, etc. Then there were other palettes for the images. If you wanted to display video in a window on a page that had other graphics, you could determine the palette of the CODEC (with some effort) and then use that to dither your graphics. Theoretically they should play nice together, and it worked on some cards, but you'd still get palette flash on other mainstream graphics cards.
I tried every trick I could think of but could not eliminate the flash on every single card until I came up with this hack:
Make a video consisting of a single frame with a 1x1 black pixel, compressed in the desired CODEC, display a black screen for a moment, play that video (which was as fast as could be because it was so tiny) over the screen, then load your image and real video.
The black screen couldn't flash, and when the next screen and video (the real one we wanted to play) came up, the palette was already set correctly. And it worked on every video card.
To enter a demo competition, one of the criteria was support for Sound Blaster sound cards. The problem was that we didn't have one and didn't want to buy one because we had already spent all our money on Gravis Ultrasound cards. Fortunately, a member of our group was able to borrow a Sound Blaster for a day. We had to figure out how to add support for it, but we had no documentation and there was no internet to speak of yet.
I figured that it must be possible to add support by sending I/O to the card. We put the card in my computer and started a third-party MOD player that had Sound Blaster support. I traced the execution in a debugger, instruction by instruction, while my friend took notes on all the I/O instructions. After some thought, it became clear that the program was scanning for a Sound Blaster and, if I recall correctly, configuring the card to DMA a particular byte in memory as the sound card output.
I added some hardcoded "OUT" instructions to my player and it worked instantly; my real-time mixer output was played through the Sound Blaster! There was a lot of cleaning up the code to be done, but we were able to add support for the Sound Blaster in just one day.
I never shared this beyond my personal friend group. We went on to play (cumulatively) probably two thousand hours of AI War using this crack. Once I got out of college and got some income, I bought 4 copies to make up for it. Sorry Arcen!
We'll, it sorta worked. In this state I somehow recognized that the device placed on my fingertip must be a blood sensor of some sort, and that squeezing my finger might mess with the readings. I made it through two rounds of setting off alarms before the nurses caught me. I was immensely pleased with myself!
There was a wand thing with an NFC writer some people could buy that could temporarily ignore the region check and put it in “race mode” which allowed any power level to be set. However those were restricted sales, the consumer version of the wand didn’t have the race director mode. Eventually i ended up with one of the race director wands too but not before i tried to hack the quad.
Anyway, i dumped the firmware. Figured out what the CPU was. Disassembled the firmware blob. I traced where the region check was performed then overwrote the instructions with noop’s. Assembled, flashed and then promptly flew it into a tree at 50mph.
It survived just fine. I still have it to this day, just with upgraded motors.
dd if=linux.iso of=/dev/sdb
recovered all the images using Foremost [1], fresh out of image processing and machine learning class, end up writing a image clustering "software" [2] that help me separate the useful images from worthless thumbnails and images that chrome have cached.
So a “cat /dev/tty* > passwords.txt” and waiting an hour collected the credentials of everyone logging in to the server.
At some point, I had logged into the account of one of the sysadmins who msgd me and let me know he’d changed his password and this would be my last time on his account. (If he only knew.). He offered me my own account if I told him who I was, and he might have meant it, but I didn’t bite. About a month later, a patch fixed the issue and that was that.
After we hit a certain number of frames/second, RabbitMQ became a bottleneck. My solution was to write the JPEG frame in the shared memory, then pass around shared memory ID, offset and frame length, instead of the whole frame. Only services that actually needed the frame would read it, others would just pass around a small JSON object. After that was implemented, the bottleneck disappeared.
I don't know if this qualifies as a "hack", but it certainly felt that way in the moment.
[heavy cream powder]: https://www.amazon.com/Anthonys-Fillers-Preservatives-Friend...
[baby formula dispenser]: https://www.amazon.com/Philips-AVENT-Powder-Formula-Dispense...
We were doing this everyday, so it cut the processing time from many hours to seconds. We swore each other to secrecy about this development and marched off to Dunkin’ Donuts with our giant ice coffee belt-loop holsters to celebrate.
I was kind of wanting to move from the SmartStart team to the storage driver team, but I didn't really know too much about drivers, so I started digging into how to write drivers for SCO OpenServer, and made a little driver where you could write 256 bytes into it, it would store this in memory, and then you could read them back out. Suddenly, an idea occurred to me... what if instead of 256 bytes, I made the buffer 1.44M bytes, the size of a floppy? I'd have a RAM disk that I could use in the build process instead of physical floppies. (The native RAM disk wouldn't work for reasons I now forget). So I tried it. It failed, on some ioctl call. I coded up some dummy code for this ioctl in my driver, and... it worked. And it was way faster than the actual floppy drive (obviously). So I ended up completely automating the build process, eliminating the error prone and slow floppy drive, and having now written a driver, I ended up getting off the SmartStart team and onto the storage driver team, which was way better.
(Graphite in pencil lead is a weak conductor, enough to make the keyboard circuit work)
If you've never worked with stereo vision systems, they have multiple cameras as input. The algorithms need to know the exact position of each camera. These calibrations are extremely sensitive - if the camera moves even a teensy bit, the algorithms start to fail because the image features aren't where they expect. Anytime we had a bad calibration, we needed to rerun calibration. This was a process where we waved a checkerboard in front of the cameras at tons of different angles, and software would process all the images and deduce the pose of each camera. It typically took at least an hour, and sometimes it'd fail and you'd need to redo it. Typically we'd need to recalibrate systems every few weeks, no matter how hard we tried to make the whole rig rigid.
Anyways, one day I accidentally drove the robot's sensor head into a table right before a demo with the people funding the project. The program started spitting out "BAD CALIBRATION" warnings. This would basically mean we'd need to cancel or postpone the demo to recalibrate, which would look really bad since they traveled all the way to our office only to be told "never mind!"
As a last-ditch effort. I grabbed the cameras and started wiggling them back and forth, and managed to force them into an orientation where the calibration worked. The demo went off perfectly. I later told the researchers about it and they hated it. "You should just always do calibration," etc.
My favorite hack that I've seen someone else do was at Google, where some specific project had a weird test that checked some ratio like "lines of tests to lines of code." Someone checked in a test with the comment "If you're not cheating you're not trying", and it just had the same assertion over and over for hundreds of lines to satisfy the metric. I never looked into why the person couldn't just disable the test, but I like the simplicity of the solution.
Here is the demo: https://jcu.bi/css-image
I built/launched an entire transactional site: signup/login/purchase membership while walking the Camino de Santiago in Spain, in 2017, for a small event (swing dance event).
Was supposed to spend the two months prior to going there working on it, but because of delays in planning etc. I didn't really get started until the week right before, which meant I had to haul my old MBP 2015 on the walk. So basically, I trekked something like 18-20 miles a day lugging that thing (and the charger), then spending mornings/evenings in the little hostels (more like barracks) writing code (most had wifi, thankfully), then the next 4-6 hours thinking through how to design/build every little piece, then find a cafe with wifi to implement some of that in 2 hours, then walk another 4-ish hours. Then write more code.
Surprisingly, there were almost no bugs at all, since I'd have to iron out every single thing during the walk (what else are you going to do walking through middle-of-nowhere Spain, which is all farm land, anyway?).
In the end everything worked! Paypal integration worked! Hundreds of people signed up and bought membership on the system! Oh, and this was my first project of this sort, and I was the solo designer/developer on it. I also had to design our logo, branding, and T-shirt as well.
(Stack: Meteor, DO)
I whipped up a program that periodically every 10 minutes would query the database filtering for dogs matching the qualifications I was looking for using a combination of regex to search for any dogs that were:
- Between 50 and 100 lbs
- Did not have a history of behavioral problems
- Matched a list of active breeds
When it found a potential match it would send an SMS via Twilio to my phone with a picture of the dog, a link to the shelter, and a picture.
Several years later my huskee / Pyrenees hybrid is the best running partner I could ever have asked for. That's my proudest hack and I think she would agree with me.
To rent a movie, a phone line had to be connected to the receiver box. The box would dial out to DirectTV and send over the information that "jrib purchased movie X".
I learned that I could connect two phones directly with a 9V battery and the right resistor in the middle. So I connected a phone line on one end to the DirectTV receiver and on the other end to random phone.
The receiver waited for a dial tone, so then I played a dial tone sound on repeat on my computer into the phone's microphone.
It worked and I got to see the movie!
I felt really guilty though so I told my parents a few days later and we let the satellite box connect to a real phone line to pay for the movie :)
This link explains how the phone circuit is setup: https://hackaday.com/2012/06/08/using-old-phones-as-an-inter...
I was able to remove one (1) machine language instruction from that innermost loop. I no longer recall if this resulted in a measurable difference but I've always been proud of this.
I've open sourced the technique with a more detailed writeup [1] and I like to think the game I created with it is pretty fun, [2] but of course that's subjective. You can try it in your browser here. [3]
[1] https://github.com/zeta0134/z-saw
[2] https://zeta0134.itch.io/tactus
[3] https://rusticnes.reploid.cafe/wasm/?cartridge=tactus.nes
That led to a second, though lesser, hack. The problem turned out to be code that was allocating way too much memory. (Userland programmers working in the kernel, ugh.) This would sometimes cause the stack pointer for one task to jump all the way over its task structure into the stack of the previous task, which would make that stack very confusing. That's why it took two days to figure out, even with dumps in hand. (Also, putting the stack right next to the task structure was a stupid decision on Linux's part.) To find the dozens of places where this was happening, I wrote a tool to disassemble all of our kernel code and look for the part of the function prolog that allocated stack space, thus creating a list of those that were allocating too much. Then I spent a week fixing them.
It was a grueling process, under lots of pressure at a struggling startup, but ultimately the result was very rewarding.
Another hack: I once was consulting for a client who was running Drupal and was going to launch their new site the next day, but suddenly it started crashing on some of the pages. I found out that you can take a core dump of Apache and load it into gdb. Then if you run some gdb macros, you can see the PHP stack trace at the time the crash occurred. Turns it it was some module (tokens?) they had recently enabled which was recursively calling into itself. Not sure why it didn’t hit some stack limit, though. We disabled the module, which fixed it and the client was super happy. If I knew more about Drupal, I probably would have disabled modules in a form of binary search as a first troubleshooting step. But I did know a little about gdb, so that came in handy.
I was working for a medical device company that shall remain nameless. They had a system that was used in operating rooms that had a fairly nice user interface - bubble keyboard, touch screen, good graphics. It let you input patient information and stuff. (At least part of it was running embedded Linux under the hood.)
In the source code, I saw what it did with the patient name - it used a call to system() to store it in a file. So naturally, I tried an injection attack. I put in "[Name]; sync; sync; reboot". Sure enough, it rebooted the system.
But before the reboot, it had also saved the "patient name" in the file (and, because of the "sync", it had been written out). On boot, it read the information from the file and tried to treat it like a newly-entered patient name, which caused it to reboot again...
We had to re-image the device to recover. We added some validation to user input after that little demonstration.
At the time, Microsoft had some live broadcast streaming service built into Windows 2k server that would allow you to stream audio from the computer, so I put together a web front that allowed me to build and save a WMP playlist file along with controls for to start/stop WMP, causing it to re-read the file.
The result was that I could listen to my own music on any device capable of receiving streamed audio, and could control it on anything with a web front end.
As it turned out, due to bugs in the hardware and the board, the "correct" answer by the manual would not work and this was the only way to get a working setting. My little hack became part of every boot of the system - it auto-generated the DDR timing. This was back in the early 2000's before DDR training at boot became standard practice.
About a year later an intern showed me that a coffee stirrer also can work to open the lock, but I bet he won't write about that in a forum.
Enter my Lego Mindstorm. I effectively built a box, on wheels with a big thick stick pointing out I loaded that guy up with NQC - built a small application for my Palm Pilot. The modem on the palm pilot would pick up, accept a certain DTMF code, and fire via the infrared port a signal to the Mindstorm. The Mindstorm rolled forward X revolutions of the wheels so that the long arm hit the reboot button, rolled back.
Yes, eventually I bought RAM, but that eliminated all the fun.
Well, I made a horrible mistake. Right after deploying (compiling then manually copying a .class file onto our server), I accidentally lost the source code to all my work. There was no backup of the changes I'd made, and source control didn't have it. All testing was manual - which was a horrible process we went through before every deployment. So if I half remembered my changes, I'd have to manually test everything again and hope I didn't mess anything up.
All I had left was the compiled java .class with my changes in it. I was terrified to even tell my boss given all the work.
Well, I tried decompiling the .class file with my changes in it - but the result was 10k lines of nightmare fuel. How could I find my changes in that? But I also had the java file from a few weeks earlier, before I made my changes. So I compiled the previous version, then decompiled it. Then I diffed the two decompiled source code files. That showed me (in decompiled java form) all the places where I'd made changes, and with some work I managed to figure out what all my changes were.
A few hours later I had re-implemented all my changes in the java source file. I could guarantee I'd done it correctly because the output from the decompiler matched perfectly. So we didn't even need to re-do all our manual testing.
I don't think I ever told my boss.
Took two hours to begin learning about a sed command.
Spent a half hour testing it locally on the MacOS terminal. I didn't wanna screw it up. Made several mistakes on local. But eventually I think I got the hang of it.
Now it was time to run it on live. I'm nervous again even though I just spent a while testing. Ran the sed command to search and replace text.
Worked like a charm.
Pretty much a trial by fire moment. No mentor to show me how. Just me and my ability to read to documentation and apply it. That's all I had at my disposal.
I know server admins do this shit like in a couple of minutes but at the time this was me venturing into servers and making a change on live site and reading a man page and blog tutorial. So for me it was a big deal. It taught me not to fear to learn the shell.
I've done way harder things since but I still remember this moment of almost a decade ago.
One Saturday afternoon a call was escalated to my mobile while I was at a friend's house. A remote site had a server failure, everything was down, and they couldn't pump petrol, help! I spent a little bit of investigation aided only by a non-technical console operator acting as my remote hands we determined the server was beyond repair. So then I talked the operator through installing the network operating system on a different computer, reinstalling the POS software, re-configuring all of the serial hardware for the ports on the new machine, setting up file sharing, restoring data backups, etc. Essentially building an entirely new system from scratch.
After 4-5 hours on the phone they were back up and pumping petrol again. All completely from memory, no computer, manuals or documentation to hand.
Early 90s, a friend let me borrow a copy of a game he had, which included a physical codewheel you use to prove that you own the shareware. I thought about copying the codewheel so I could return the floppy to him and still play, but I'd read that computers have no way to make random numbers and usually seed the random number generator with the current time. I made a batch file that set the time to a specific value and then launched the game, and memorized the code I'd get if I sped through the main menu as fast as possible.
The problem they had was that they had managed to lose the source code of the app, lol. Since the app was a simple webview wrapper I decompiled the apk to some horrendous java monstrocity and carefully extracted all used logic, the html, css and js and created a new webview app with the slightly modified code.
Oh and I had no experience in Java or Android development :)
Another hack I was very proud of:
Some weeks ago I had to pick something up with a car trailer. I went to my parent's place to get it and when checking if the lights worked (it was dark already) it turned out that they did not. Since I was driving to a larger city I could not just go without lights.
The problem was, that I really had to pick this up and also I had no extra time to find an alternative solution, so I wiggled the jack of the trailer's cable in all directions hoping to clear out some oxidation. After some minutes of trying I found a specific position in which the lights seemed to work.
Taking out the good old duct tape from my car's trunk I fixated the jack against the trailer hitch. For some reason it actually worked and did not break. I was very proud of this hack!
Obviously I didn't fix it yet :-P
We were on Mt Erebus and I needed to power some 6V carbon dioxide sensors for my work. We had lots of 12V lead-acid batteries, but we knew they were made up of 6 roughly 2V cells. We drilled a hole and put a screw in the middle. Now we had 6V batteries.
I noticed that if you malformed a certain command, a mere syntax error, it would crash the game clients of everyone else you were in a chat room with (the game had in-game chatrooms). I was apparently one of the few who knew this because the game didn't immediately become a crash fest as it would have if word had spread.
There was a game mode where players would begin the game frozen with the clock stopped. This allowed serious games to be organized where all players were ready before the match began. I found a command that allowed me to unfreeze my character, and I could move about while everyone else was frozen.
There was a debug command that would dump the location of all players and deployable items. I wrote a script to dump this data, parse it, and update my hud with the data, several times per second. This was cheating, but it did serve as one of of my first experiences with programming. It was a hack I made myself and did not share, although I know others were aware of this cheating technique. This was later in patched out of the game.
They eventually caught on after around 10 million hands I think, banned me, stopped me from cashing the remaining funds out (wasn’t that much since I withdrew frequently), and changed the odds of the game.
Also use it to store critical password and keys, and have copies of my passport with me everywhere.
I initial did it to help a friend who wanted to customize and sell bycicle bells. since most printing techniques are made for flat surfaces this creates an interesting challenge. The solution I eventually arrived at involves a pen plotter and a custom fixture. There's actually a article about it here: https://www.evilmadscientist.com/2019/bike-bells-with-axidra...
And by the way, the obvious way to produce them would probably using transparent stickers a heat gun an a coat of varnish but where's the fun in that.
For 10 examples you're getting a 25-cent coin from a coin dispenser. You can keep it or you can use this money to buy Internet access. My OpenWrt router is connected straight to coin acceptor. For one coin you're getting 30 minutes of Internet on all devices (iPad and PC).
Since it's all automated I don't need to involve too much into education process. Math score in school has greatly improved, the kiddo solved thousands of examples.
Coin dispenser is proprietary (found on ebay, one of popular model), so I literally had to hack the USB protocol. The coin acceptor had no USB interface, so I had to introduce one. I've connected this USB to my OpenWrt 32-bit router, which is also ARM - so I had to hack some USB libraries along the way so my binaries can work with USB right from OpenWrt.
So, I resorted to a few low-quality hacks.
The first was a QR Code parking app. It worked by just placing a qr code on public parking meters. I marked up the parking from like from 50 cents to a dollar. I kept 50 cents and payed for the parking through the official app with mitmproxy. Someone eventually reported it.
I had to ask my dad for help reimbursing the city—which he was not too happy about.
The second hack of a washing machine was disclosed properly, although no firmware patch was ever released.
[1] https://news.ycombinator.com/item?id=29814973
[2] https://shakey.blot.im/reverse-engineering-a-popular-laundry...
But how to measure this? The LCOS displays were buried deep inside some optics, and the only light that reached them was the laser light which was pulsing at the same frequency as the signal I wanted to measure, and the laser PSU was incapable of driving it faster. I did however have an pulsed energy meter, which I'd managed to interface to a computer so I got a readout for every pulse.
Sudden insight: flip the switch on the laser power supply from "Ext. trigger" to "Internal trigger". Twiddle the fine adjustment on the PSU frequency knob until the laser frequency was 29.95Hz. Watch in satisfaction as the energy meter described a neat sine wave over the course of 20 seconds - the beat frequency between 30Hz and 29.95Hz - confirming that the reflected energy swung wildly depending on the relative phase.
It was a small and simple hack, and I've poured much more sweat into much grander "hacks", but I will always be proud of that lightbulb moment.
More recently, replacing `7z.exe` with a PowerShell script that logged input, to get archive passwords for an obfuscated data format. Not technically impressive at all but a few days were saved and lolz were had.
PeoplePC's sign up was completely online, which was pretty new for the day. The trial setup would first dial a toll-free number to get local POP numbers, and then dial the local number to complete the registration. Well, after poking around to see if I could get around the dialup procedure for the temporary Dial Up Networking account (young me at the time wouldn't know that those creds were in the registry for my perusal), I popped open a web browser, and to my surprise, the local pop account had full internet access. Unfortunately, the trial had a timebomb, so after 10 minutes of inactivity in the setup app, it would close the connection, and remove the DUN account.
Young me however was a wannabe hacker, and had among other tools, a hex editor at my disposal. Finding the temporary setup directory, I copied the contents into another folder that would persist beyond the setup, and started scanning through various files. Eventually, I found what looked like a username and password cleartext in a binary, and copied them out. Tossed them into a fresh DUN entry, and discovered that the account... just worked. Like that, I had free dial-up networking, effectively whenever and wherever PeoplePC had a POP. I rode that for a good couple years until we eventually got our first DSL modem.
Honestly not the hardest or most impressive hack in the world. For all I know, PeoplePC was aware of my usage of it, but because the password was etched into hundreds of thousands of setup discs, it's not like they could rotate the creds. But for a teenage me that just wanted access to the unfettered internet, it was pretty neat.
Me and my friend started exploiting the bug like crazy, spending hours literally just doing that. The problem was that the process to exploit this bug was very convoluted and a pain to do manually.
I had no experience of programming nor anyone around who knew anything about it, but I felt that there must be a way to do the whole process automatically. Computers are meant to automate stuff, right? Anyway, I started investigating online and found AutoIt, which is a BASIC-like scripting language that allows you to automate GUI stuff.
I then began building a script that did literally what I had to do manually to exploit that bug. And literally means literally. The way I made it work was by scanning colors in coordinates (to check whether a window it's opened, etc), moving the mouse and clicking. The script was full of duplicate code. I didn't knew about loops. All I knew was if conditions and mouse actions. I even remember having to go to a forum and asking for help (in super broken English) because I wanted to keep the program running indefinitely (they told me to use `while true`). But it worked.
Anyway, I spent about two weeks of after school afternoons building this bot. Then, when I had it working, got banned in a matter of days :^)
This might not seems like much, but I remember it fondly as this was my introduction to programming and the reason this became my career. I'm still holding onto the (terrible, terrible) script.
1. Synced all 5 using git-svn into 5 branches
2. Used filter branch to rewrite each into its own folder
3. Handcrafted a single merge commit that combined all 5 branches into one
Vendors wouldn't share code so I broke it, looked at the error logs and wrote my own version of a indexed vector that reordered the operations using a knapsack algorithm and in a way that allowed us to run 50-100 parallel threads. Maybe 500 lines of code.
Knocked some heads together to get downstream systems to start importing data as soon as the first files arrived rather than wait until the end.
CTO (I'd never heard of him, it was a $30B company) didn't believe management about the months of time we'd saved, needed it all explained, was very happy.
Rewriting a C++ matrix library to change its API back in 1996/1997, for a 100x speedup.
It was a nice library... It had things like a = b + c; ... but back then, C++ really didn't have tools to support that syntax with great performance. Especially mixed with a bad allocator, that prevented multi-threaded allocation.
I then wrote a quick and dirty comms program to suck the data in, discard the unwanted control codes etc, and scrape the data into a usable form.
This was in pre-windows days, so the data going to a dot matrix printer was pretty simple. It would be a lot more chewy now I suspect.
I wrote a script to capture and replay network traces from Wireshark (then called Ethereal) that included keeping the timings intact. Caught the bug reliably every time.
I still think that's the best thing I every did.
The testing office was in LA. The audio and metadata was in Ireland. The lag across the public internet consistently failed their tests.
So I deployed a small read-only copy of the API in an LA data centre which tunnelled inside the cloud provider back to Ireland. I used DNS geo tools to ensure the tester transparently hit the local LA data centre.
We passed their tests with ease and landed a 6-figure contract.
The hardware customers probably had a terrible experience though...
[1] https://imgur.com/a/sN8om7u [2] https://en.wikipedia.org/wiki/Steven_M._Bellovin
I wrote my own browser automation scripts to create our own internal patient API. Ended up reducing claim billing errors by a ton and resulted in 6 figures a month in additional revenue.
However the enterprise IT/infosec folks at the client didn’t like our project and refused to whitelist our upstream host so it was not possible to download things into the client environment without going through a virus-checking firewall. This imposed various restrictions:
1) It prevented any executable, tarball etc from being downloaded. Basically if it was in a useful file format it was no bueno.
2) It prevented any file over a certain size from being downloaded. If it was over the size, the firewall would just cut the connection.
Time to get the unix toolset out and get to work. I realised first that I could easily get around #2 by slicing the file into chunks, downloading each chunk and then reassembling on the client side
#1 was a bit more tricky. The first thing I tried was encrypting the file. This would theoretically mean the virus scanner wouldn’t be able to find any signatures of hostile file formats, but it turned out that the encryption itself made the first bit of the file predictable and so my first chunk kept getting blocked.
Soo….. I added some random noise onto the front of the file. Once I tuned the length, it meant the virus scanner didn’t understand the encrypted file so it got through.
The two resulting shellscripts (called “shred” and “unshred”) are probably my favourite ever hack. You’d run “shred” on the far side, which would take any listed input files, put them in a tarball, encrypt it, add some random noise to the front and then cut it up into chunks small enough to get through the firewall, and then on the far side you’d download them and run “unshred”, which would reverse the process.
Once we had demonstrably got our software through the firewall a few times, IT/infosec realised their objections were futile and they relented and whitelisted our upstream so we could just do a normal install for all future releases.
1. I was working as an intern at a router company (basically doing manual QA of software releases). One day one of the software developers comes by and wants to see how hard it would be to add a feature (IP address autonegotiation for point-to-point links). The code already existed in a library, but there was not official way to enable it. The developer did mention that it could happen automatically if the up address was unspecified. I was able to get it active by creating a virtual interface with a manually set IP address, setting the point-to-point link to use the same IP address as the virtual interface, then deleting the virtual interface.
2. I was working on a Government funded research project and some other company was responsible for developing the board support package. The board we were working on had 1 ARM core and a 7-core DSP in a NUMA configuration. I had a processing pipeline that split the processing between cores so that each core handled a different part of the chain. The full code did not fit in DSP memory, so we had separate images for each core. I was seeing crashes every time one of the DSP cores finished handling a message. Eventually I was able to determine that the messages passed between cores by the platform were actually C++ classes with a virtual destructor. My work-around was to overwrite the first 4 bytes of any message the DSPs received with 4 bytes from an empty reference message created locally. That overwrote the vtable and prevented the crash.
I came upon an online contest by a food company where you had to submit pictures of yourself cooking with your kids using their products. People could then vote on the submissions (one vote per day / cookie) and the top 10 would win travel vouchers of between 500 to 5000 bucks value.
I found out they'd done that before in other countries where apparently you had to submit videos, because there were tons of them on YT. I then used screenshots from those videos to make fake submissions.
Then I found the url to cast votes, put them in a script within a legit advertising banner from a marketing campaign my company was currently running (I guess that's XSS?). I knew how many ad impressions each banner was to receive, so it would cast a vote only every 2k impressions or so.
I ended up making off with about 4 grand. I'm only partly ashamed because: The call to cast votes would also return the current vote count. So I'd cast a vote for each submission once a day and put it in a db in order to monitor the current rankings. Turns out there was another guy whose votes would go up by exactly 100 a day, so it was either him or me taking home the money.
I did this sort of stuff a couple times back when these exploits were more commonly possible (marketing people and their devs seem to have learned) and every single time there would be someone else who was also cheating. So really it was a hacker vs hacker (or rather kiddie vs kiddie) sort of battle rather than taking from the legit players.
A helluva lot more rewarding tweaking wide-open custom hardware than making adjustments to uBlock.
I created a work around: if upstream changed then do stuff.
I scratched my own itch, it was kinda neat to effect a several hundred times speed increase on a certain condition (if no updates, tell me quick (freebsd-update cannot do this)).
https://github.com/tux2bsd/freebsd-update-probe
Oh, and I'm not a programmer.
On FreeBSD:
I don't use FreeBSD, but I'd recommend it to try out as a hobby OS. It has a few cool things: hard separation of OS vs external software, & /etc/rc.conf, & pkg.
They HATE me at the FreeBSD Forums - a horrendously in-group place, full of moderator groupies (bizarre).
Those forums actually do the FreeBSD project a disservice, embarrassingly hyper anti-linux (the 'tux' in my handle was enough for their initial hostility).
The project as a whole is coasting on ZFS success. That said, they were on the money with their early and committed adoption of ZFS.
Anyway, after playing around with different flavours of linux, I ended up with a rather simple solution that ended up being easy to install. Essentially it was a two line script that piped the serial port to the destination server IP address, and inbound tcp/ip piped to the serial port.
So just plugging this little (old school) 486 box in-between the serial port on the legacy system and an RJ-45 connector which plugged into the 'corporate' network and we not only had an upgraded comms layer, but we now had remote system management, which we never had before.
Think it saved $250k+ minimum replacement at next to no cost. Just me barrelling up and down the country installing the new hardware. Was a fun project in the end and started me down the linux appreciation route.
Then one day, a client asked for the ability to draw things on top of the map view we provided. This was pre-HTML5 and nobody on the team knew anything about graphics (which just so happened to be a major area of focus I had done in my CS degree and part of why I thought working on mapping software would be fun. Turns out they delegated all that to ArcGIS). Everyone started talking about Flash and how the mapping server probably wouldn't work with it, it was going to take so long, blah blah blah.
I piped up that I could do it in a couple of days. I hacked together a 2D drawing library in JavaScript that used DIV tags as "pixels" (oh yes, I was also the only person in the company that knew JavaScript. At that time, "serious" software didn't use such "lowly" scripting languages). Pulled out my copy of Foley, Van Damme, Finer, and Hughes and got to implementing Bresenham's. Even made a huge performance optimization by concatenating contiguous strings of DIV pixels in flat, vertical and horizontal runs, into a single, wide-or-tall DIV.
Several years later, HTML5 came out and CanvasRenderingContext2D was nearly identical in design. Well, that was no accident. We both based our work on Java2D.
I didn't report to the QA team after that hack. And that's how a hack got me my first programming job.
Honestly, it's been all dirty hacks in JavaScript like that, ever since.
This was back when the tap-to-pay app was called ISIS, for context.
I combined a couple offers:
Amex's Serve (prepay debit card thing) offered a $1 off any transaction over $1 (a fixed $1, not a percentage), up to 50 transactions a month.
The vending machine company near me that had machines in my office offered a buy-4-get-1-free promo using tap-to-pay that has a very weird implementation: The dollar limit for the buy-4 portion had no lower limit, and the get-1 had a fixed $4 worth of payout.
Essentially, every time I got up and went to the bathroom I'd stop by a vending machine, buy 4 items worth $1.25 (costing me, $1 total), and then use the get-1 portion to buy $4 worth of items.
I'd then turn around and sell said $1.25 items to folks in my department for well under ($0.75 for $1.25 items, etc). I told them exactly what I was doing, nobody wanted to deal with the hassle though. And the dollar amounts were so small. The real reason I sold them to coworkers was because I wanted quarters for the pool table at a nearby bar.
In addition to those two offers, the Amex Serve also just straight up gave you something like $60 for signing up for the account plus adding some small amount of money to the card. This basically funded this series of $0.25 purchases for the entire 6 months.
I basically got unlimited snacks for myself, and a freeish source of quarters to fund my pool games for that time period.
I realized the game was written in Python and dug into the .app directory. It was mostly binary data, but there was one python script with two lines, essentially "import game" and "game.start()". I inserted a pdb checkpoint between those two lines and started the game, dropping into a terminal with the game module loaded. I started peering around with "dir" and ended up finding the function which validated purchase keys, so I replaced it with "return true" and I was able to see the unlockable content.
Unsatisfied with just that, next I used the "dis" module to disassemble the key validation function, decompiled it by hand into python code, and inverted it to make a function which could generate arbitrary keys.
Then I revealed all this to the author and he never got back to me.
In the midst of the pandemic (2020), i worked for a non-profit....and they published all manner of important economic research data on different strata of incomes, families who struggle putting food on the table, etc. All data that they sell to governments for policy work (its that great, valuable, and expertly published) and they also sell it to other research firms, NGOs, etc. (Side note: when i worked for them, they were severely under-pricing their data for way too low prices for how others used, referenced the data) Anyway, among the steps involved in reviewing the reports, I automated link checking of urls used within their reports. The report content lived in PDFs, so i automated grabbing all content from PDFs (not fun!), then picking out urls from the massive copy, then running link checker scans, finally producing a report of any links that were broken. The overall authoring of the reports encompassed many, many months of work - by top-notch research teams - and the design and production of said reports also (sadly) took months to perform. Well, when i automated even just the link checking portion, i reduced their work from many weeks (sometimes 1 or 2 months) down to 1 or 2 days. I left before i could extend my automation, so it still required a human to trigger some steps. But, if i still worked there, i planned to automate far more, and start moving upstream for other areas (like scaling out their report designs, etc.).
Was it some hacker-level thing or rocket science? No way. But, all in all, it was a neat use of python, python pdf modules, some minor bash/cli scripting, etc. I learned a bunch of fun stuff, and the non-profit saved tons of time. I still feel so good when i reflect on that little project!
The prompt should have read "Please scan card count", but unfortunately it missed the "o" out of the last word...
Once in a while the instrument's readings were wildly wrong. After we ruled out actual signal glitches in the analog front end, I started poking around with the debugger, which did have some very nice breakpoint capabilities. This is when I discovered that the C compiler implemented long math operators using anonymous function calls. And that these functions were not thread safe (they used temporary variables below the stack pointer)! If an interrupt occurred during a math operation, the function returned a wrong value. Disabling interrupts for long enough to do a long divide was not an option as that would seriously mess up the operation of the analog front end.
I duplicated the functions in assembler, but with proper use of the stack, and then replaced all the naked math operators in my source code that operated on longs with calls to my new functions.
As the panic was starting to sink in, I managed to find out that an unprivileged user account was still available for SSH login. Once I got a hold of it, I then tried my hand at running several privilege escalation exploits... until one of them worked (what a relief) and I could finally restore proper SSH access on the main user account.
It was both a proud and a pretty embarrassing moment.
Fortunately, we also used Bazel. So I created a custom Bazel rule that aggregates all the required files of a target/service then builds the Docker image within the Bazel sandbox which only contains the files we need. This massively reduced the context size and thus the image build time. From several minutes to single digit seconds.
Whenever I need to try some new service online which requires my credit-card(CC), then I make sure that I create account with a disposable email (using iCloud+) and a virtual credit-card (using Revolut) with max allowed spending to 1~2$ configured and use those for that account. As soon as my account (post CC auth charge) is created then I delete my virtual CC so that I am sure that knowingly/unknowingly I won't be charged or spammed.
Once I am sure that I would really like to use that service, then sign-up with my actual email and CC. I simply love this hack and use it extensively.
I was curious, maybe some random could work. Nope.
Then I had the genius idea, I also had Command & Conquer: Tiberian Sun and the CDkey worked.
One year I fancied going on an around the world trip on this program called "Semester ar Sea" (SAS) for a study abroad. This was explicitly out of scope for the curriculum and the dean vehemently roadblocked my request.
My school happened to have one of those design your own major options so I went in and wrote my own major that was something like "cse and international business" and designed the curriculum so that SAS was a perfect fit.
A few weeks later I pitched the dean and her staff on this "engineering with an international context" major and they LOVED it. She signed on the dotted line smiling and that's when I informed the room that I'd be doing Semester at Sea because it was a perfect fit.
Best of all, having a dean stamp of approval, my scholarship transferred over.
So I spent the next 9 months earning college credit living on a cruise ship with 500 other kids traveling literally around the planet. It was one of the best experiences of my life and I could fill a book with stories by the time I finally came home.
To this day I'm not sure if the dean was pissed or proud or both of me
I was troubleshooting a new interface for a piece of equipment from a company called Lambda Ace. Metrology equipment like this one in semiconductor fabs at that time were poor in this protocol. In this case, the context IDs that came back from the tool appeared to be random and far off from what I was sending. I typically sent small numbers and it was sending me huge numbers. I started looking for patterns in the data and once I looked at this in Hex, it all started to come together. The last 2 bytes were always 0x4C and 0x41. In the text version of the Hex dump, it showed those were the ASCII values for the characters L and A, or Lambda Ace.
I was on an Intel processor which stored bytes in little-endian, so those last 2 bytes were higher order bits making the 4 byte number quiet large. The hack was to figure out the constant from 0x4C41 that I always needed to subtract from my reply's context bytes. I also had to be sure I kept my set of context bits to values that fit in the lower order 2 bytes. It was a kludgy hack for sure and I’m sure broke again with future tools of this type.
So I dove into the generated PS file, located the code setting the subscript, noting that it placed the subscript using the rmoveto operator. The ‘r’ is for relative: It would take a pair of coordinates off the stack, add those to the current position, and move the current point to the new location.
So I added some code to the PS file, first to collect some information along the way, and then print it out at the bottom of the page. I turned out that the rmoveto operator got it wrong! So what to do?
I replaced the rmoveto operator by a few lines of PostScript reading the current position, do the addition, and then execute a moveto operator instead. That cured the problem! The next step was to put that code into a small job exectuting the magic operator exitserver (reads the printer password off the stack), followed by my redefined rmoveto operator. The effect is now global and applies to all print jobs until the printer is power cycled. So that print job went into a cron job running every 15 minutes. Problem solved! That hack was left in place until the printer was retired, years later.
I was contracted by a law firm to manage about a dozen temp workers to convert 1000s of Wang-formatted files to WordStar. Their IT people had us opening each Wang file with a conversion feature in WordStar, and then saving it. WordStar had to be opened and closed for each conversion. (The PCs got files from what was, essentially, a shared hard disk, but DOS and WordStar ran from floppy disks. I.e., it was all very slow.)
I spent my first few hours on the job figuring out what WordStar was doing. I discovered the conversion feature was a stand-alone program, and then worked out the syntax for feeding it a file. Then I built a batch file that would recursively convert entire directories. Needless to say, I was out of a crushingly dull job in a few days instead of a month or so.
I owned a generic ‘286 12 MHz DOS computer at the time. Since PC-Kwik was the Toshiba edition it would not run on generic ‘286. So I used DOS program Codeview, also on floppy, to find and successfully patch the code in the executable program that checked for identification as a Toshiba product. My very first reverse engineering experience.
I'm not sure exactly how I figured out to do this, but I was able to log into my dad's account, open up the terminal, then kill the daemon program that controlled the firewall to disable it. My fading memory tells me that I was simply inspecting the list of running programs on top, saw one named 'integod' (Intego being the name of the company that produced the firewall program), and targeted it. Worked like a charm and you can probably imagine what I used my newfound freedom for (I was in middle school).
Pretty basic command-line stuff, but I do credit the early exposure for my ability to pick up more advanced concepts more quickly when I entered the workforce.
--------------------
One of my more proud work hacks was on a business trip where I couldn't deploy a source code change but could change the compiled binaries and libraries, so I changed some instruction to a NOP to get around a showstopper bug.
1.-When i was like 14 i went to a school where they teach you how to use a computer, i picked up everything really fast and found out that they recorded student payments in a csv file, the file was in a shared folder in a windows 95 machine, editing the csv to add my name and amount paid was really exciting.
2.-There was a series of flash animations named HuevoCartoon you could see them in their website but if you saved the swf it would jump to the end so i used HIEW to open the swf and if i recall correctly it had a script that checked if you had the swf open in a browser and if the url in the address bar was a specific one, well so what i did is 090 the whole instruction and i could play it offline, i remember sharing them with my friends at school, eventually those guys decided to do that check every frame so i wrote a tool in C to look for it and 090 the instructions.
3.-One day i did not have too much to do at work and i was talking with a friend and he explained how bored he was with his job, what he did then, it was take a set of 3 pdf files and create an xml with the file names and put them in a zip file with a name structure like john_doe_12345678_xrftv and upload the file to a server , well i told him to install python and i wrote a script that would automate all that, it took like 5 minutes to generate the xml and the zip file for like 20,000 sets, so he spend almost all the time playing battlefield 3 and on Friday he would upload a little bit more than his boss was expecting, it was a contract for 6 months, he finished his job a couple of weeks ahead and got a bonus and a job offer, he is still working for that company and is a really good Python coder, he decided to learn after that experience.
The parents had put a parental block on some R-rated channels and we wanted to watch those movies.
We found 2 different ways to get around it. The first one was to use the built-in timer to go to that channel at a specific time. I wondered if it still blocked the channel and no, it didn't! So just set a timer for 1 min from now and "poof!" could watch that channel.
The other way was that with C-band dishes the satellite dish had to move along an arc to receive signals from specific satellites. The receiver would remember the positions and the satellite was "identified" by a certain position on the arc it traversed. Of course the parental block was just a combination of "satellite-channel" block. So you could manually move the dish via the remote a very small amount so that it was on a part of the arc the receiver didn't consider "the satellite" but you could still pick up the signal. Boom, no parental block and you didn't have to wait for the timer to change the channel.
Was pretty proud of myself for those two.
There were other dirty tricks, for example the table of (one-letter) commands was at the end of the ROM, and was terminated by a letter with the 8th bit set, which we got by reading the address after the ROM. As a aside effect, you could extend the commands by installing a second ROM in the proper place.
That time I knew the instruction set for the 1802 by heart. I even dreamed directly in hex.
Along the way, I noticed that the game still had debug printfs contained, so I built another little tool to replace their printf handler with my own. Seeing this diagnostics data for some odd reason made me very happy :)
We got a client whose brand and web presence was relatively more-modern. I soon found out that the sales and design teams landed the client by promising much more than what the CMS could deliver-- responsive, hand-tooled pages with flexible layouts. The timeline was a few weeks.
I took a walk and despaired. The way that CMS pages were implemented meant that even small changes to page layouts required database changes, which themselves required DBA review (which only happened when the DBAs deigned to descend from the mountaintop). There was no way that we could also support arbitrary layouts with the fixed database columns.
An idea finally came to me and I found one of the only backend devs that was willing to play along. We reused one of the existing templates, a simple one with only one large content area. I wrote a frontend that injected itself into that page and rendered a canvas with slots to place arbitrary widgets. The entire configuration was then JSON-encoded and stuffed into the single text database column, and when the page was loaded from the CMS we hijacked the load to decode the config and render our widgets instead of the CMS field.
The company actually won an award for the system and gave out beer steins at the holiday party with the system's branding on it. Over the next few years, they retooled the entire CMS to actually support the concept as a first-class idea instead of my hack, although I moved on fairly shortly after that moment of triumph.
Apparently, this department had absolutely no idea that their email was publicly available. I was friends with our IT guy who greeted me when I came into his office with "Why is my boss asking me who is
1. I created a static List 2. The Discord user sends a command to render some colored text 3. We create a SadConsole.Console instance; draw the text onto the Console; and push a job to the job list. 4. When the MonoGame instance enters the "Render" call, it runs each job in the job list. 5. The job we pushed then saves the Console to a PNG in a memory stream (file operations were substantially slower in thread for some reason), and then calls Discord API to send the response. I'm personally proud of this because I used MonoGame in a way that it was not intended for. The code worked at the time it was written. Unfortunately, it does not work anymore at this time (likely due to some API update). The code is available here: https://github.com/INeedAUniqueUsername/Colorbot/blob/master...
I bought a broken spare off Ebay, opened it up and found something that looked like an EEPROM (a 24cXX 8 pin chip) on the motherboard. With terrible SMT soldering skills, I swapped the chips and I was in. It's a pretty cool buzz when you're 19 years old. I guess the contact knowledge from my father, an electronic engineer specialized in Microchip microcontrollers, helped a lot.
Also, deeply antisocial follow-up: my father was working on a project for a company, and was deeply underpaid and died poor. I knew they wanted his hard drive to get the source code, so I made a backup, shredded it multiple times with random data and prepended the string "CrYpT" at the start. I gave it to them, said it was encrypted and I could do nothing about it. Last I heard (this was almost 20 years ago) they sent it off to an expensive data recover facility but they could not recover anything.
Sorry Dad, but fuck them. Pay your engineers.
I run the build and eventually it failed. It failed, because Yocto keeps inode numbers in an SQLite file for an LD_PRELOAD library, that fakes root privileges or something like that. I did a simple SQLite utility in C before and I modified it so it would put correct inode numbers for all the files. After I made it to compile I was surprised that it just worked. I run a find with -exec of my tool for those database files.
Now the build mostly worked, but occasionally it failed. I don't remember exactly, but some of the hard linked files had to be replaced with a copy. I did not investigate further to make it automatic, but I considered checking the build log and doing the copying automatically or maybe to get to know how differentiate which files to leave alone. There was not a lot of files like that and after the build I did not have to do a big rebuild like that often enough to care.
It was not smooth, but I made it work. I wondered about creating a separate BTRFS partition (even in a file) that would do the dedup hidden or a fuse filesystem that would mask my own dedup.
And the luckiest hacks were when I was editing diablo 2 save files with HEX editor in FAR commander and getting tons of super cool items in the process. And sometimes a broken save file
I found a trick that I called "graveyard jumping", which involved sneaking a Level 1 character into a high-level zone far enough to reach the area of the next graveyard before dying, then the next graveyard, then the next.
After a couple of days of survival horror gameplay, I had a dozen of Level 1 characters in multiple high-level areas of the world. The point of reaching these areas was vendors with rare items on cooldowns -- usually recipes or trade books.
I would log into those Level 1 characters (to sheer bewilderment of higher-level locals), buy the cooldown items from the vendors, then send them via mail to my main character in the capital, who would sell the items on the Auction House at an enormous markup, collect the profits, and send some gold to the Level 1 characters so they could cover their item mailing fees.
I never raided or belonged to a guild, but I had so much money that a friend, who was a leader of a high-ranking raiding guild, sometimes came to me to borrow some gold.
Good times!
I had a bright idea in the shower one morning, went to work and told our project manager that I could deliver an IMAP4 demo in two days. I explained how, the architects admitted it would work, so I knuckled down and wrote a new API for our POP3 server that understood and responded to high level IMAP4 requests (we didn't need to return message parts or anything more atomic that an entire body).
Of course, the day after we finished testing this, the product owner decided we wouldn't include it in the demonstration, but that's life.
I wrote a uhid driver that listens on a socket and a cli that sends click/release events to the driver so I could map left and right click in my WM.
Motivated to prove myself, I ended up writing a crawler with all kinds of contingencies for the crap UI, which would press the "Download" button that downloaded each record as a JSON file (couple thousand of these). Then my little node app would shoot the JSON files to an S3 bucket for safekeeping, parse them, and save each record in DynamoDB I believe it was.
Doesn't take a genius to come up with the idea to write a crawler, but no one else did, and the business was entering a state of frantic desperation re: this issue, so I felt pretty smart for a bit.
Then a few months later they abandoned the CMS and all it's corresponding data.
Then we notice the server is getting terribly slow. They were under a high load and finally my boss at the time figured out why: The disks were being hammered by database reads and writes.
I was the junior most among the three of us who managed servers, and I recall standing In a circle one afternoon discussing the problem and possible solutions.
We considered things like building dedicated database servers, And I really don't recall what else. But while I was thinking about the problem, any delightfully simple answer came to mind.
I presented my idea and it was adopted right away. Better than that, it solved the problem.
The hack? Install another hard drive and put /var/lib/MySQL on it.
These days that would be a terrible solution. But back then we were running things like Celeron 300s in giant 4U cases and had plenty of power and space overhead to make room for another disk
It would rewrite the implementation jobs whenever you saved either the template or the implementation. It wasn’t super fancy or even that difficult to be honest. Just would copy the xml and do a text replace then force Jenkins to reload it.
It was a pretty inelegant and somewhat fragile solution. But it worked for what I needed. It even was the top google result for “Jenkins templates” for a while. I eventually had someone else start contributing bug fixes and I made them the maintainer.
Turns out this particular game company (Falcom) had a habit of implementing their own compression on their assets. So I had to painstakingly read the disassembly. It got to the point that I had notebooks of hand written disassembly so I could read and think about the code when not at a computer. Eventually I figured out how to both decompress images and text and then save the decompressed assets in a way that bypass the compression. I wrote the hack and patch and was super happy. Of course it blew up the size of the game assets for translated materials, but it worked.
The only thing out there that would support it was this software called WinGate that did a thing called socks proxy.
The problem was that WinGate cost over two hundred dollars, which I couldn't afford and I refused to pirate it.
I was reading a book about the internals of the IP protocol and I had an idea...
What if I took the traffic that was addressed to an external IP address and assigned it to a high port number, specific to each computer. When I got network packets back on that high number port, I could rewrite the IP packet to deliver it to the originating computer.
I coded up a minimal little working example in C.
What I didn't realize at the time was that I'd basically (re) invented NAT.
I never ended up developing into a robust solution because it was around then that the Linux kernel added "ip masquerading" with a custom kernel compilation flag, which did the same thing but better.
Still, was a cool hack.
We would host small websites with PHP and PHPMySQL, as well as eggdrop and bouncers.
Most of these kinds of hosting were flaky and half baked at the time, and we were no exception. There was a brutal war of who would become the biggest host of egg drops and bouncers.
I'm not specially proud of it, but we did manage to find some PHP vulnerabilities on some competitor website (the typical kind at the time, where you type "?page=index.html" and that would load anything).
We managed to upload one of our PHP files on their server as an avatar on their PHPbb forum, and could then execute it with the include-from-url vuln.
We then proceeded to host eggdrops as PHP scripts on their servers that we would start by just loading the page we uploaded there.
No real harm done though, I think both us and them were just teenagers way too concerned by IRC social status :)
HDGT26YA
HDGT26YB
HDGT26YC
HDGT26YD
...
Not that big in the grand scheme of things but pretty satisfying for an afternoons work.
https://github.com/bigskysoftware/htmx/blob/a3c414dcee94fd03...
basically, redesign the arguments for a function such that I can call it again at a given spot with one parameter changed and, to a first order approximation, it acts as if the function is resumable.
I've used this trick in a few places now, just recently in idiomorph to allow head elements to load before the rest of the content is morphed:
https://github.com/bigskysoftware/idiomorph/blob/e6dfc189fa3...
- in ObjC, with no prior knowledge of it or any lower level language than PHP or JS
- by dynamically switching the OS keyboard layout to a custom reverse-QWERTY one I somehow figured out how to hobble together
- and a daemon to restart it when it crashed because I presumably had horrific memory management issues I didn’t know how to debug at the time
- with one hand, because my left hand was unusable for a couple months after a serious bike accident
… all so I could keep working at a normalish pace, because at the time I couldn’t afford to take time off to recover, much less fairly expensive (to me at the time) and patent encumbered half-QWERTY keyboard hardware.
There are other use cases [not just those ;) but also those], but that little pile of hacks legitimately prevented my injury from being a life destroying catastrophe.
I’d share the pile of hacks but I probably need to run it by lawyers first.
Unfortunately all downhill from there, even shipping market disrupting SaaS feels like a step back in problem solving.
I called him "you didn't call, did you update the software before the match?"
- "I didn't want to bother you, all is under control" - "The latest software is the only one managing overtime and match end penalties, if you didn't update and the match end on a tie we're in trouble. Like we can't display scores to 2 billion TV viewers." - "Shit, I didn't check and didn't upgrade. Let's pray..."
What did you think happened? 90 minutes of game later, we're on a tie, and the software doesn't manage it. Of course it's impossibly risky to upgrade the software once the match is ongoing anyway.
Fortunately we could manage overtime manually by resetting the match in the software, then adding goals before starting up. - "Let's hope there are no penalties..."
What did you think happened? Overtime ended, and still a tie!
So we resetted the timer and score again, but we had no way to use the software to display the correct scores at the very end.
Therefore the only way was to manually update the score directly in the Antero software on the SGI Octane (instead of using the remote control PC), by rapidly typing in the data seconds before setting up the page on air. Of course, I was the only one knowing how to use Antero, so I was in front of my TV, watching the live broadcast, and telling Carlos on the phone as soon as the referee blew his whistle:
"On the keypad type 5000 then Enter. Hit tab twice. Enter 4. Hit Tab twice. Enter 3. Tab 4 times. Enter 5. Tab 2 times. Enter 3. Hit Escape. Press shift+* on the keypad. Press Ctrl+Enter on the Keypad. On air!"
And there it was on air before the world's eyes, correct score and stats.
Then, mostly as a goof, I tried signing up with an address like "studentfoo@uni.tld@example.com" where I controlled the second domain. Lo and behold, the confirmation email showed up in my catchall inbox on that domain.
Pretty sure the only check the site did was .contains("@uni.tld") and assumed it was good enough. (or whoever wrote it put it in as a backdoor) Really regret not reporting that bug to them.
What I found more entertaining was that two of the biggest names of the era were also vulnerable to commands to terminate forum text entry boxes, and begin displaying other parts of the page. Thus, a creative security tester could end the text fields box, and add commands to display other things.
Because part of this was interpreted server side, and partly client side, it was like a two for 1 enabling command execution server-side, and opening up the door for client side nefariousness too.
Providing a handy working link to download the SAM file on Windows from the repair directory, or output /etc/shadow
I posted the hack on the old Compuserve BBS and it had over a million downloads the last I looked.
Anyways, as we began the 3rd piece, I looked at the 2nd bassoonist and told her she would have to play all the solos (which she hadn’t prepared for).
At intermission, I had a crazy idea, so I found my sister in the audience and asked her if she had a stick of gum. To my delight she did, so I chewed it up, stuck it to the back of the pad, and put the pad back on the instrument. To my surprise the hack worked, and I was able to complete the rest of the concert.
tl;dr: My snot nosed 20 year old self violated a school-owned $20,000 instrument with 10 cents worth of chewing gum at intermission, but managed to play all my solos, and then afterwards learned how to properly reseat pads with a lighter.
Reshaped RAID by
* LVM moving entire storage off to external iscsi SAN * wiping the controller config and recreating it from scratch in desired layout * migrating it back from SAN
(before the whiners, it had backups and it was a node in cluster so even if it died no availability loss).
Similar weird admin trick was
* removing all of the nonessential LVs in LVM * creating a big fat file in /dev/shm (essentially ramdisk) * migrating storage to that file * shredding content of hard drives * voila, shredding drives of system without restarting and with still having ability to clean shutdown it.
2001
I worked for a localisation company and we had to do this mind-numbing work that involved opening an image, selecting the picture, cropping it to a certain size, selecting the image, adding a feather to the selection and adding a faded border around the edge, in photoshop
I discovered photoshop actions, which let me record a macro and automate and chain together a bunch of actions.
For weeks, I always had my work done on time. like, a few hours of work done in the first few minutes of the day, and I could spend the rest of the time surfing the internet.
Then eventually I messed up - the format had changed slightly but I was using my old automation and made a record number of mistakes. they were on to me. my team lead made me show him the trick, and introduced it across the team. And for the rest of that month, we were the most productive team in the company, and all had our work done within half an hour of the start of the day, and the rest of the day to mess around on the internet and play games (I wanna say doom but that seems super old for the time - maybe they were just shitty PCs and couldnt handle anything else)
photo: http://i.imgur.com/RbDkt.jpg
story: https://old.reddit.com/r/Cartalk/comments/10cwhb/til_how_to_...
I look for hostname@ in the streaming stdout of my ssh process and if I see one, in addition to other heuristics, I notify that a command completed over ssh.
Weaponized virsh save/restore because of how Linux handles mounts (mnt_id)
My site has recently been the target of some extremely aggressive "card testers" (criminals who have huge lists of stolen credit cards; they use bots to stuff small donations into donation forms to test which cards are still working). At first I just blocked the offending IPs, but they kept finding new IPs, creating a lot of annoying work for me. So I pivoted--instead of blocking their IPs, I started feeding them randomly generated false responses with a statistically accurate "success" rate. They are trying to build a list of working cards, and getting absolute garbage results.
It is still ongoing, but so far they have run ~50k card tests in over a week, and 99.9% of the data they have collected from us looks legit, but it is totally bogus. It pleases me to know that I am polluting their data, and ultimately wasting a lot of their time and effort. Consume excrement, evil-doers!
I'd still use them if there just was no other way - or if I needed a time-critical band-aid that stops the bleeding for now, while I work on a proper fix. But these days I feel more ashamed rather than proud afterwards...
In the process, I accidentally damaged the (secondary) ice maker, so I called an appliance repair tech. After I explained the situation, he said I had a better chance of repairing it than he did.
It's a real world version of a bug that I was clever enough to create, but not clever enough to fix.
If it didn't get a 200, it bounced Apache
Ran every couple minutes for years
I was a kid, trying to play the game "Thief" on a newer computer. The game would never boot, always crashing when it tried to load video. I found all the video files, and deleted them, and the game worked. I felt like a god.
He gave me a graduation speech where he expressed his surprise as no one had done it for a very long time.
Meanwhile while putting stuff like that on my CV (including stuff like cum laude, TA, teaching as a web development bootcamp instructor, some actual programming experience, hall of fame with computer graphics engine building). No one cared :')
Other than Facebook (3 years after graduation), no one interviewed me at a FAANG. No cared about my big achievement that I'm proud of. People don't get it. You think it's only possible in 3 as if it's a set in stone rule (people at my uni certainly believed it) and you defy that and succeed! The disbelief on people their faces. And I shared my exploits and other students were able to do it too! The sheer rebellion of it all! Yea, it was fun :)
For anyone in uni, you can most likely do it too.
The fact that no recruiter or hiring manager at any hip company I wanted to work at cared, it made me bitter for a few years. I really wanted to work for a big tech company for those few years. In truth, I wanted that because I wanted to earn some good money while being fully immersed in the tech world and just focus hardcore on tech. I never got that opportunity (other than FB, which I failed). Focusing hardcore on tech, I did get that by simply studying at VU
Instead, now I work 4 days per week and am mostly working remote living my life as a digital nomad. That's my hack to the question "how do you become rich right now?" If you're single, work 4 days per week and travel. I'm on a Western European salary, so it's doable but I'm not making any savings. Like I said, it's a hack.
And if you're like "we meant computer systems!" Well, it wasn't specified, so I could hack my answer ;-)
I played a lot of hackthebox.eu and I realized that: hacking is a spirit.
https://www.franz-enzenhofer.com/a/gtag-make-faster
it's a hack, not a solution
Started as a hack, turned into the standard way of how I deploy all my personal projects, and then some.
I won the 5k and it bought me my first car.
Using ollydbg to find some embedded encryption keys
By hand.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This is the story of how early in my career (~15 years ago) I saved the jobs of 100+ employees along with $20M+ of accounted revenue...
I had built an application that had become the core of a large and prestigious business (can't describe the software or business sector due to NDA). One night I get an alert that one of the drives in the server hosting the application was failing and needed to be replaced -- not a big deal since the system was running RAID-5 so it it could take a hit. So I contact the IT company providing service for the business and they sent out a tech...
.. who was a little green...
When they reconnected the drives to the motherboard they were out of order and the RAID controller went to work using the new (zero'd out drive) as part of the main array. The tech freaked out when the system wouldn't mount and then proceeded to swap the cables around several times while rebooting!!
This effectively "encrypted" the drives!
I get a call much later that night from a crying tech informing me that the machine is trashed and that the backups had failed!!
I immediately drive to the site and collect the hard drives to bring back to my home office, first thing in the morning I purchase several large drives to duplicate on to and return the original drives to the business so they can send them out to a pro data recovery company.
Upon examining the drives I learn that there are three different partition schemes across the four drives which are using RAID-5 with LVM, but with unknown RAID parameters...
So I start hitting the books, and by that I mean reading the source code for ext3, LVM, and MDADM -- at the time the relevant block level device driver code for MDADM was extremely terse, almost un-commented, and in German, which I do not speak O_O
I took several 16-20 hour days of pouring through sector by sector hex dumps of the drives, but I was eventually able to line up and decode the LVM header blocks and work backwards to find the ext3 superblocks and the start of the filesystem. I then wrote my own RAID-5 virtual loopback device driver that knew about the permutations in the data blocks caused by the drive shuffling and was able to extract a complete filesystem. After hand patching the superblocks I was able to mount it and recoverd all of the mission critical data!
Prior to this I only had an abstract sysadmin-level knowledge of Linux filesystems :)
Also, the pro data recovery firm wasn't able to recovery anything and tried to lie saying that the drives were physically damaged! The CEO and CFO had me sit in on the phone call and jump in to correct them, the tech from the recovery company was speechless and then accused us of trying to set them up! We (the C-levels and myself) had a good laugh and then went out to have a couple drinks ;)
Another one was during high school as well, as an exchange student. In the computer science class there was a certain network game, and we were joking about high scores. So I checked out the score file format using hex editor, and created a tool that was able to modify the high score table.
When in the university, I needed to graduate soon, as I was heading to Silicon Valley. I had one weekend reserved to do a major statistics assignment. The assignment had to be done using a certain MS-DOS based tool, created by the professor. I had planned to use university computers to do it, but my electronic key had expired. It was not possible to extend the key during the weekend. It was possible to get a license for your own laptop, but even that required somebody to give you the licensing key, and that was not possible during the weekend. So I started my assignment by cracking the licensing for the tool. The licensing was based on a challenge, that was based on random number. Fortunately for me, the random number seed was the time (in seconds). So I put the machine to work for the first night, and it was able to brute-force the right challenge by resetting the system clock before each trial.
Later years one hack that I was proud about was creating an entry in the Linux drivers for my digital camera, and I submitted it as a patch as well.
Not a Windows guy, but I was working on a server software that was also ported to Windows. We had a weird timing bug that we knew approximately how to reproduce, but it was so rare we could not do it, and it was happening only with production version, not debug version, and only on Windows. We did not have a core dump (or whatever that was called on Windows at the time). So I created a framework to start the server, execute the operation on the server, and use Windows facilities catch crashes and save the core dump. With that framework I was able to find and fix the bug.
My latest proud hack is a system for time lapse microscopic photography. I have a lab microscope, and I mounted a Canon DSLR on top of it. An Arduino is connected to the camera through remote shutter port, so I can wake up the camera from sleep. I had to create the shutter control hardware on the Arduino from a remote shutter button. The Arduino is also controlling a stepper motor, which has a Lego wheel on, which on turn has a caterpillar track, which in turn is controlling the zoom on the microscope. This allows me to control the Arduino zoom. Then I have created custom keep-focus software, which uses images from the DSLR, and calculates how close the image is to the original, and tries various adjustments to find where the focus is closest.
I had - ahem - acquired some user logins for my local ISP. Not knowing any of their dialup numbers on account of not being a customer, I just called them and asked for it. They gave it to me no problem.
The weakest chink in the armor of any company will always be its humans. The unpatchable hole.
Runner up: I was noticing that if it was really quiet I could hear noises from my speakers even when nothing was playing from my computer. I eventually listened long and closely enough to hear that it was a local radio station. In a flash of brilliance that came from where I don't know, I looked up their website and emailed their engineer. I got the most detailed and thorough response I think I've ever received back from a cold email.
A protip in that vein: If you want to read a scientific paper but can't afford the journal fee online, email the author(s). Turns out they love when people are interested in their work, have the right to share it, and will send you a copy 100% of the time I've tried this. Sample size: 1
